Share this story

Attackers exploited a previously unknown and currently unpatched security bug in Microsoft's Internet Explorer browser to surreptitiously install malware on the computers of federal government workers involved in nuclear weapons research, researchers said on Friday.

The attack code appears to have exploited a zero-day vulnerability in IE version 8 when running on Windows XP, researchers from security firm Invincea said in a blog post. The researchers have received reports that IE running on Windows 7 is susceptible to the same exploit but have not been able to independently confirm that. Versions 6 and 7 of the Microsoft browser don't appear to be vulnerable.

Update: In an advisory published a couple of hours after this article went live, Microsoft confirmed a code-execution vulnerability in IE8. Versions 6, 7, 9, and 10 of the browser are immune to the exploit. People using IE8 should upgrade to versions 9 or 10, if possible. Those who are unable to move away from version 8 should take the following mitigations:

Set Internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.

Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zonesThis will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.

The attack was triggered by a US Department of Labor website that was compromised to redirect visitors to a series of intermediary addresses that ultimately exploited the vulnerability, according to Invincea. The exploit caused vulnerable Windows machines to be compromised by "Poison Ivy," a notorious backdoor trojan that had been modified so it was detected by only two of 46 major antivirus programs in the hours immediately following the attack. The specific webpages that were hacked dealt with illnesses suffered by employees and contractors developing atomic weapons for the Department of Energy, the blog post said, citing this report from NextGov. That's consistent with so-called "watering hole" attacks, in which employees of a targeted organization are infected by planting malware on the sites they're known to frequent.

"The target of this attack appears to be employees of the Dept of Energy that likely work in nuclear weapons research," Invincea researchers wrote in a separate report published Wednesday. The report went on to cite this technical analysis from security firm AlienVault. It found indicators in the command servers Poison Ivy contacted that the attack was carried out by "DeepPanda," a group of hackers believed to be located in China and carry out espionage attacks on other countries.

Initial reports about the Department of Labor website compromise said an older IE vulnerability that Microsoft patched in January had been exploited. It was only in Friday's report that Invincea said this assessment is incorrect.

"For non-Invincea users, there are no known mitigations for this exploit that is currently in the wild," Friday's report warned. "For users of IE8, there is no patch currently available and with this exploit being out in the wild, the potential risk for damage is high."

Promoted Comments

I used to work at a pharmaceutical company that would spend $30,000, $50,000 on various scientific equipment, then hook it up to an 8 yr old Dell, that only had IE 8 on it. They were risking their intellectual property and reducing employee productivity to save a fraction of a percent of their yearly spending.

Hopefully as older people retire and die off a younger generation of finance professionals will take over who understand the value and necessity of maintaining a reasonably up to date IT infrastructure.

Hopefully as older people retire and die off a younger generation of finance professionals will take over who understand the value and necessity of maintaining a reasonably up to date IT infrastructure.

Really? Really? How do you know it isn't (let me be just as idiotic) careless inexperienced new college hires responsible for this? Going to say something racist, misogynist, or religiously intolerant next are you?

Age-ist crap aside, the last time I checked it is the IT department, not Finance that makes these kinds of decisions. This has to be one of the dumbest comments I've ever seen on Ars. And an Editor's Pick too?

Ars what are you thinking of?

For the last few shops that I worked in, my experience was thus: IT requests it, Management and Finance hem and haw and shoot it down.

The only time I have not seen Finance shoot it down is when IT forced the issue by consulting Legal. Legal did an estimate done for how much the company would lose if the security risk was not resolved, Management shit itself and IT's requests were miraculously approved.

the last time I checked it is the IT department, not Finance that makes these kinds of decisions

I want to live in your magical world

This. Where I work, they backed out of approving 10 new desktops to get everyone off XP before support ends. They've backed off 3 new servers to replace the 2 5-year old (and one 8+ years) servers that run the ERP systems. They don't have proper backups or any offsite backup whatsoever - nothing bad has happened yet, so why spend the money?

That's the same as saying that since you've never had an accident then you don't need to buy car insurance.

There is risk all about in the business world. Some of it is quite threatening (fire, earthquake in certain locations) and some of it is not. Management's job is to assess the risks and mitigate them appropriately. In some cases that's done with insurance, in other cases specific actions are taken (sprinkler system, better locks, etc). The insurance industry is now starting to factor IT equipment and security into the business policies it offers, but they still have a way to go.

As an earlier poster mentioned, once Legal looks at the risks/exposure, management often makes more informed decisions. As IT professionals requesting system upgrades or security measures, consider justifying them in terms of risk avoidance and reduction of exposure. It will help to get a quote from an insurance company for business-continuity coverage etc. If management does not want to purchase that - that's their call. Just remind them that if they don't have it then they're self-insuring. You *always* have "insurance" - sometimes you pay the premium and someone else covers the loss. Otherwise you save the premium and are at risk for the entire loss. Pick one ...

Age-ist crap aside, the last time I checked it is the IT department, not Finance that makes these kinds of decisions. This has to be one of the dumbest comments I've ever seen on Ars. And an Editor's Pick too?

Ars what are you thinking of?

I work at a research institution (edu, not corporate) and most of the the time these kind of decisions are made by the scientists themselves and their finance managers who are trying to balance their limited budgets. Most of the time IT has very little to say what kind of computer is hooked up to an instrument. They have no choice but to pay whatever the vendor is asking for the instrument, but they do have a choice what computer to hook up to it so they trying to save there.

Often budgets are set up in a way that funds can be spent only on specific types of purchases. So a lab may have a million to spend on scientific instruments but only $10k to spend on computers, which includes desktops for all the staff. We have labs who use old hand-me-downs because they have no budgets for computers but they have plenty of money for other things.

Finally, they often use software that can't tolerate newer OS and updates. Scientific vendors are notorious for writing crap software using poor coding techniques (saving stuff in the app dir or \Windows instead of user's dir?!). Often their programs have to be run as Administrator too. We have machines running XP SP1 because SP2 would break the software and the vendor can't be bothered to update the software or if they do they charge full price for fixed version. Damn, we have finance webapps that still require IE7 or even 6 in few cases. And that is not up to IT to decide.

I used to work at a pharmaceutical company that would spend $30,000, $50,000 on various scientific equipment, then hook it up to an 8 yr old Dell, that only had IE 8 on it. They were risking their intellectual property and reducing employee productivity to save a fraction of a percent of their yearly spending.

Hopefully as older people retire and die off a younger generation of finance professionals will take over who understand the value and necessity of maintaining a reasonably up to date IT infrastructure.

The reason for the older computer/OS/browser is often that the vendor won't support their control software on anything else. They specify WinXP and a live network connection. Sure, the software would probably run on newer versions, but they haven't bothered to vet it.

Often that very expensive equipment only has an RS-232 connection, and doesn't work with a USB to RS-232 adapter and anything later than Windows XP. So you'll need an 8 year old computer, it's very difficult to find a new system that has a hardware RS-232 port anymore.

it is easy to get hardware PCI based RS232 ports and even my laptop has a PCI express hardware port that I run in Windows 8.

that is no excuse...

If the equipment is not on a network (or on an internal network with not bridge to the Internet), then it doesn't really matter one way or the other. At least from a security standpoint.

From a technical standpoint, things are messier.

It may cost a few hundred dollars for a proper serial port and updated software, but you also have to factor in testing and updating internal code. That amounts to several hundred to several thousand dollars. Even though a research group/department may have equipment worth several hundred thousand dollars, they may have paid significantly less than that. I've seen equipment transferred from one group to another for pennies on the dollar. Even though the original group may have the funding to do the upgrades, the recipient group does not.

Time and skills are another factor. Brilliant researchers and lab technicians are not necessarily brilliant computer technicians. Even a good computer technician would have to devote a considerable amount of time to acquire and update skills that are esoteric at best. (You may think that you know how RS-232 works from dealing with network gear. Well, lab equipment is different. The software involved with lab equipment is also highly specialized.) Lost time can also make a difference when publishing results or applying for funding.

At the end of the day, I would suggest that applying blanket statements like, "there are no excuses," is rather dangerous. That's particularly true if you work outside of the silo you're commenting on. (Even my comments may be misleading, because I'm familiar with university research facilities rather than government research facilities.)

I used to work at a pharmaceutical company that would spend $30,000, $50,000 on various scientific equipment, then hook it up to an 8 yr old Dell, that only had IE 8 on it. They were risking their intellectual property and reducing employee productivity to save a fraction of a percent of their yearly spending.

Hopefully as older people retire and die off a younger generation of finance professionals will take over who understand the value and necessity of maintaining a reasonably up to date IT infrastructure.

The reason for the older computer/OS/browser is often that the vendor won't support their control software on anything else. They specify WinXP and a live network connection. Sure, the software would probably run on newer versions, but they haven't bothered to vet it.

Precisely. The vendors make bulk of their money selling the instruments and software development is secondary. Even big ones like Zeiss and Leica drag their feet with software updates. And often their software costs thousands of dollars and/or require a newer controller/capture board and that can cost another couple of grand so labs choose to run the older versions on older hardware under older OS. Some vendors plain refuse to sell you new software unless you buy a new instrument. In this business even point updates often cost a lot of money and licensing is draconian. Gamers think game DRM is bad. Try installing your analysis software on a rebuilt computer. Lost your dongle? That'll be $1,000 for a new dongle and $3,000 for a new license.

This is also the reason why labs often use old software that was written by some post-doc ten years ago. You think XP SP1 is bad? There is software in academia that needs Windows 98 or OS9 to run. But it does exactly what's needed for a given experiment and it's free so IT needs make their best effort to get that box running.

Age-ist crap aside, the last time I checked it is the IT department, not Finance that makes these kinds of decisions. This has to be one of the dumbest comments I've ever seen on Ars. And an Editor's Pick too?

Ars what are you thinking of?

I work at a research institution (edu, not corporate) and most of the the time these kind of decisions are made by the scientists themselves and their finance managers who are trying to balance their limited budgets. Most of the time IT has very little to say what kind of computer is hooked up to an instrument. They have no choice but to pay whatever the vendor is asking for the instrument, but they do have a choice what computer to hook up to it so they trying to save there.

Often budgets are set up in a way that funds can be spent only on specific types of purchases. So a lab may have a million to spend on scientific instruments but only $10k to spend on computers, which includes desktops for all the staff. We have labs who use old hand-me-downs because they have no budgets for computers but they have plenty of money for other things.

Finally, they often use software that can't tolerate newer OS and updates. Scientific vendors are notorious for writing crap software using poor coding techniques (saving stuff in the app dir or \Windows instead of user's dir?!). Often their programs have to be run as Administrator too. We have machines running XP SP1 because SP2 would break the software and the vendor can't be bothered to update the software or if they do they charge full price for fixed version. Damn, we have finance webapps that still require IE7 or even 6 in few cases. And that is not up to IT to decide.

This sounds like a whole lot of reasons to have an in-house dev team for sciency stuff. I am part of an in-house dev team and whilst our competitors have all of the problems you mentioned, we save tens of thousands on software purchasing/licensing costs and as a side-bonus get to run Win7 and IE9 across the company.

If the software you want to use is crap, you are better off developing in-house. Of course, if there's available software that's already good, as a rule it's going to be better value to buy it.

We see the same in deeply specialized software in the military. Often the original vendor has long gone or the guy who wrote it retired and sipping cocktails in Florida.

Often these little gems of software are incredibly good and a marvel of coding. They do exactly as you ask and no bloat. Of course they never work with new OS'.

We tend to try and move them on to a VM of the old OS' which is always a pleasure and never a problem arises - honest.

I think that a large chunk of people see Office, even just Word and Outlook, as the critical business apps and everything else happens over a browser. You press buttons and the magic computer pixies run off and fetch things. They don't get the background stuff that needs to happen. Of course that is not shinny and new so hay.

I love it when they cry "but I've got <insert latest browser> at home why can't I just download that". Sometime I am tempted to let them and watch the background stuff fail and laugh at them.

the last time I checked it is the IT department, not Finance that makes these kinds of decisions

I want to live in your magical world

This. Where I work, they backed out of approving 10 new desktops to get everyone off XP before support ends. They've backed off 3 new servers to replace the 2 5-year old (and one 8+ years) servers that run the ERP systems. They don't have proper backups or any offsite backup whatsoever - nothing bad has happened yet, so why spend the money?

That's the same as saying that since you've never had an accident then you don't need to buy car insurance.

There is risk all about in the business world. Some of it is quite threatening (fire, earthquake in certain locations) and some of it is not. Management's job is to assess the risks and mitigate them appropriately. In some cases that's done with insurance, in other cases specific actions are taken (sprinkler system, better locks, etc). The insurance industry is now starting to factor IT equipment and security into the business policies it offers, but they still have a way to go.

As an earlier poster mentioned, once Legal looks at the risks/exposure, management often makes more informed decisions. As IT professionals requesting system upgrades or security measures, consider justifying them in terms of risk avoidance and reduction of exposure. It will help to get a quote from an insurance company for business-continuity coverage etc. If management does not want to purchase that - that's their call. Just remind them that if they don't have it then they're self-insuring. You *always* have "insurance" - sometimes you pay the premium and someone else covers the loss. Otherwise you save the premium and are at risk for the entire loss. Pick one ...

Just a head's up Ars: Since you published this article, the amount of major antivirus programs that detect Poison Ivy has jumped from 2 to 16 out of 46. Per your own link.

Otherwise, great reporting!

Thanks for the compliment about my reporting. I work hard and write two to three in-depth stories on a typical workday, so your kind words mean al lot.

My article noted that the two out of 46 figure was current "in the hours immediately following the attack." I put a link to the VirusTotal site so readers could check for themselves if the figure was still current. The nature of breaking news is that specific details change more quickly than a single reporter has time to update, especially during the weekend. It's unrealistic to think that articles are going to be updated hour by hour to reflect each time an AV program has added a definition.

I'm not trying to complain or be defensive. I just want readers to understand the realities of real-time news reporting.

It's become a cliche, but it's still worth repeating: Sandboxes and mitigations such as ASLR and DEP are the computing equivalents of airbags or seatbelts in your car. They may not save lives in every case, but they still make a lot of sense to use. In addition to minimizing the damage that can be done when attackers discover a vulnerability, they also drive up the cost and effort required to develop "weaponized" attacks.

Sticking with antiquated tech is a disease which affects mid-to-late career IT people

I'd suggest that rather than make your assertion an absolute you make it a "possible" or even "likely". I imagine that having dealt with 20 years of new technology rollouts, and some of them going south in a big way, a senior IT admin might well want to move carefully, especially in Fortune 500 companies. Disasters tend to make conservatives of us all.

I agree: this is why I was careful to note that it's not inevitable but it's a common outcome based on personality, experience and both how much risk your organization faces and the health of the management structure. If you worked at, say, a government organization where a breach means congressional inquiries, bad press, and a high likelihood of senior management hanging you out to dry there's an enormous pressure to be conservative and back everything with huge consulting reports and other justifications. If you work somewhere very result-driven and where everyone understands security is a hard problem (e.g. Google or Mozilla) you're probably going to be far more aggressive because you only have to prove competence to your peers, not fitting it into a larger, complicated political picture.

Age-ist crap aside, the last time I checked it is the IT department, not Finance that makes these kinds of decisions. This has to be one of the dumbest comments I've ever seen on Ars. And an Editor's Pick too?

Ars what are you thinking of?

I work at a research institution (edu, not corporate) and most of the the time these kind of decisions are made by the scientists themselves and their finance managers who are trying to balance their limited budgets. Most of the time IT has very little to say what kind of computer is hooked up to an instrument. They have no choice but to pay whatever the vendor is asking for the instrument, but they do have a choice what computer to hook up to it so they trying to save there.

Often budgets are set up in a way that funds can be spent only on specific types of purchases. So a lab may have a million to spend on scientific instruments but only $10k to spend on computers, which includes desktops for all the staff. We have labs who use old hand-me-downs because they have no budgets for computers but they have plenty of money for other things.

Finally, they often use software that can't tolerate newer OS and updates. Scientific vendors are notorious for writing crap software using poor coding techniques (saving stuff in the app dir or \Windows instead of user's dir?!). Often their programs have to be run as Administrator too. We have machines running XP SP1 because SP2 would break the software and the vendor can't be bothered to update the software or if they do they charge full price for fixed version. Damn, we have finance webapps that still require IE7 or even 6 in few cases. And that is not up to IT to decide.

This sounds like a whole lot of reasons to have an in-house dev team for sciency stuff. I am part of an in-house dev team and whilst our competitors have all of the problems you mentioned, we save tens of thousands on software purchasing/licensing costs and as a side-bonus get to run Win7 and IE9 across the company.

If the software you want to use is crap, you are better off developing in-house. Of course, if there's available software that's already good, as a rule it's going to be better value to buy it.

In house development is often done but there are few issues here. Again speaking from my experience working with biologists at this particular institution. I'm sure things might be different for physicists, engineers, etc., who might need to write a lot more custom code.

Academia is a very dynamic and often unstructured environment and most often than not there isn't enough time or funds to fully develop software for a particular purpose.

Furthermore, people often leave for another institution, grants change, experiments fail, and software is abandoned and never updated, source code may be lost (hence the need to run 10+ yo software on antique systems), or software was written for one-off purpose, many years ago and nobody ever needed it until now. So if someone needs software for an experiment that may take only a few months or even weeks, they won't have the time and resources to develop a new app so they will want to run that old application now.

Finally, APIs needed to communicate with instruments and certain data and file types are often secret, proprietary and copyrighted so you don't have access to them to write your own application and have to get the software from the vendor.

Chrome, IE8+ and Safari all run in Sandboxes. But Windows XP itself doesn't have integrity level features to enforce sandboxing like Windows Vista and up do.

Bullshit...

I can use Sandboxie to run MSIE in a Sandbox...

...and somehow Microsoft can't do this?

There are no integrity levels in Windows XP - period. They do not exist and native sandboxing in Windows can not be done without it. You don't like it - upgrade to an OS with modern security features like Vista, 7 or 8. Otherwise, stick with your 10 year old operating system with the security capabilities to match.

Hopefully as older people retire and die off a younger generation of finance professionals will take over who understand the value and necessity of maintaining a reasonably up to date IT infrastructure.

Often, the problem is not with finance or IT - it's with the vendor of the equipment who only supports Windows 2000 on P-IV chips.

"...Hopefully as older people retire and die off a younger generation of finance professionals will take over who understand the value and necessity of maintaining a reasonably up to date IT infrastructure..."

Korgoth, you have never worked in enterprise I.T. You are out of your league. Go back to reading your comic books now. No, wait. Your mother is calling you. Go.

Hopefully as older people retire and die off a younger generation of finance professionals will take over who understand the value and necessity of maintaining a reasonably up to date IT infrastructure.

The future finance folks will treat finance and IT in much the same way as they do today - by the numbers. Finance folks today do not pay much attention to the problems raised by IT folks because the IT folks focus on the needs of IT. Any competent finance weenie will find lots of ways to undermine that.

Which is why I made the comment about insurance, and getting a quote for a policy for business continuation, and so on. It will be expensive (I've seen them). My point is that this external assessment (the cost of the policy) is the basis for negotiation between finance and IT. Finance cannot reject the insurance quote as unreasonable unless they have a better quote from elsewhere. And once the Board has the quote it is on notice that the risk exists, and it also knows the overall exposure.

In the case of exposure to fire losses, the data is extensive and well-known. As a result, policies are competitive and spending money to reduce the risk (e.g. better sprinklers, more sensors) has a known benefit in reduction of premium. Finance folks understand all this stuff. They will analyze the cost-benefit of improved fire protection and recommend, or not, the expenditure to the Board purely on financial grounds.

That is where the IT community needs to be - with finance supporting IT expenditures based upon solid cost-benefit data. Talk to your insurance agent and you're likely to find help.

I used to work at a pharmaceutical company that would spend $30,000, $50,000 on various scientific equipment, then hook it up to an 8 yr old Dell, that only had IE 8 on it. They were risking their intellectual property and reducing employee productivity to save a fraction of a percent of their yearly spending.

Hopefully as older people retire and die off a younger generation of finance professionals will take over who understand the value and necessity of maintaining a reasonably up to date IT infrastructure.

Oh please. I just visited a friend who is in security at a very high level for a federal agency in DC that will remain unnamed. He's 58, and has been at it a very long time. In his current contract, his boss is a former NSA analyst, 35 years old, and still living with his parents. This youngster tends to hire other young people not because they are more savvy than the kind dinosaurs my friend represents, but because they tend to be more deferential to him and don't challenge him even when they know he is off base.

There's all sorts of people out there young and old who are good or not so good. But some research is beginning to show that people in their 40's and 50's are funtioning at their peak. They are some of the best innovators out there.

The "don't trust anyone over 30" meme came from a bunch of drug-addled hippies in the 60's. It's about time that bigotry is dumped from the conversation.

I don't think you have to worry about ageism or a new generation for IT. Seems it's being outsourced to automation anyhow... handful of people managing 10's of thousands of machines these days, and doing it securely at that.

I used to work at a pharmaceutical company that would spend $30,000, $50,000 on various scientific equipment, then hook it up to an 8 yr old Dell, that only had IE 8 on it. They were risking their intellectual property and reducing employee productivity to save a fraction of a percent of their yearly spending.

Hopefully as older people retire and die off a younger generation of finance professionals will take over who understand the value and necessity of maintaining a reasonably up to date IT infrastructure.

I wish I could up-vote this more.

I can add that this is also common in well-funded academic labs. In my case, I have to work with 12-yr old Dells with video cards can only support CRTs.

Hopefully as older people retire and die off a younger generation of finance professionals will take over who understand the value and necessity of maintaining a reasonably up to date IT infrastructure.

Really? Really? How do you know it isn't (let me be just as idiotic) careless inexperienced new college hires responsible for this? Going to say something racist, misogynist, or religiously intolerant next are you?

Age-ist crap aside, the last time I checked it is the IT department, not Finance that makes these kinds of decisions. This has to be one of the dumbest comments I've ever seen on Ars. And an Editor's Pick too?

Ars what are you thinking of?

For the last few shops that I worked in, my experience was thus: IT requests it, Management and Finance hem and haw and shoot it down.

The only time I have not seen Finance shoot it down is when IT forced the issue by consulting Legal. Legal did an estimate done for how much the company would lose if the security risk was not resolved, Management shit itself and IT's requests were miraculously approved.

I've worked in all sizes of infrastructure, and especially as the size gets larger, the power to make decisions is removed behind layer upon layer of red-tape. In most SMB/SME settings you can write up a white paper with a VERY HEAVY FOCUS on risk-cost analysis and Total Costs of Ownership, with just enough technical information to explain those costs and benefits, but ultimately it always comes down to the bean-counters. Just ask your nearest friendly BOFH.

Often that very expensive equipment only has an RS-232 connection, and doesn't work with a USB to RS-232 adapter and anything later than Windows XP. So you'll need an 8 year old computer, it's very difficult to find a new system that has a hardware RS-232 port anymore.

it is easy to get hardware PCI based RS232 ports and even my laptop has a PCI express hardware port that I run in Windows 8.

that is no excuse...

Anyone that thinks that unequivocally is a jackass. Hardware based PCI express ports are not "real" in the sense that basic generic legacy code canNOT directly access the serial or printer port. A lot of proprietary hardware requires security devices to allow any access to the device or the application software requires direct access to the port. In addition application software often is locked to a specific BIOS/Hard drive ID combination. AutoCad is one of those applications and as software packages go, depending on the attached optional packages is a substantial investment.

LOL - same old tra la la....I noted with joy that windows 7 actually allows you to completely uninstall IE!! Not that any other browser is a panacea, but it seems like the firefox/chrome folks are a little quicker on the security updates. In a world of Stuxnet and other nation state devised malware, no one is safe unless their CCC gear is air gapped as mentioned above. Critical equipment simply shouldn't be attached to the internet, it's that simple.Err....well, easier said than done, I know - and all it takes is one errant flash drive if the usb ports aren't epoxied shut......then again, that makes it hard to hook the computers to the lab equipment......(sigh) - I obviously have no idea what the solution is, but I can make a prediction: This problem will get worse in the future, until some disaster destroys millions in property and kills some numbers of people.

[quote="zunipus"]Obvious simple questions for the modern age of computing:

Why does anyone requiring secrecy and security do the following?

1) Use Microsoft Windows or Office, which have notoriously, long term worst-in-class security? (No, hypersensatives. This is not troll FUD. It's fact).

Office is still the standard...why do people use adobe anything because it is the standard even though it is coded like swiss cheese. Why do you think the NSA runs Linux, because they can afford to hire people that understand how to use a PC without Windows. Windows and Office isn't the problem its the people who call the shots. The people who write the policies.

2) Connect devices containing secret/secure information to the Internet?The simplest reason is reporting to another branch/site. The people running the network probably aren't government employee's they are probably contractors. When someone with a high enough rank or grade says "why can't I get to this on the internet?" You usually are forced to give them what they want regardless of the implications or risks. The government spends at least have of its time in everyone's business. I had to code a procedure to FTP a report to another base that ran at the CoB every day so the 4 star general code see if we "had a good day or not". I wish I made that up.

3) Not encrypt all their secret/secure information?Cost. Not in acquisition but labor and paying people who are familiar to support it. The average government user even if they are researchers most are still in the same boat as a first time user when it comes to anything on a PC. If anything is going to change everyone that works in a place that requires even a background check should be required to also have a Security+. IMHO even if they are a secretary or work in shipping and receiving and barely touching a computer.

How do I know this? I fought this fight as an IT contractor for the DoD/AF for years. Its a losing battle and eventually you hand in your two weeks because nothing ever changes.